Phish Phood: Don't take the bait from identity thieves
By Don Kuehn
"Phishing" is a high-tech scam using e-mail masquerading as a legitimate company in an attempt to learn private, personal information that will be used to steal your identity and your money.
They got me.
Chances are, given a little time and a lack of diligence, they'll get you, too.
In my case, before I realized what had happened, my bank account had been tapped for almost $4,400 via ATM withdrawals. Fortunately, my bank is FDIC insured, so after considerable hassles and following specific directions, in a few weeks the money was restored to my account.
So, how'd it happen? I wish I could tell you. All I know is that one day I logged on to my bank Web site and was surprised to find numerous ATM withdrawals originating from Madrid, Spain. Curious, since I haven't been to Madrid since an AFT assignment in the mid-1980s.
According to the Federal Trade Commission, phishers send an e-mail or pop-up message that appears to come from some legitimate business or organization that you deal with—like your bank, Internet service provider, online payment service or even a government agency. The message usually asks you to update or validate your account information, often threatening some dire service consequences if you fail to reply.
Now that I have done some research on how these things happen, I can guess that I probably got reeled in by responding to one of these official-looking e-mails.
I know that's a really stupid thing to do. I know that now. Banks and other institutions almost never need to ask you for any of your magic numbers, like account and PIN numbers, and they would never ask for such confidential information via e-mail.
Here are some tips to avoid being hooked in a phishing expedition:
- Do not reply to an e-mail or pop-up that asks for account information. Resist the "click" … do not even click on the link in the message. If you are concerned, contact the institution through an address or phone number you know is legitimate.
- Never e-mail personal information. E-mail is not a secure means of transmitting any information. On the Internet, look for signs that a Web page is secure, such as a "lock" icon on the browser's status bar or the prefix "https:" (the "s" indicates that the site is secure). Caution: No indicator is foolproof.
- Review credit card and bank account statements as soon as you receive them to be sure all charges are legitimate.
- Use anti-virus software and keep it up-to-date. Some phishing e-mails contain viruses that can harm your computer files or track your Internet activities without your knowledge.
- Be extremely cautious about opening any attachment or downloading any file from e-mails you receive, regardless of who sent them.
- Report suspicious activity to the Federal Trade Commission. If you get spam that is phishing for information, forward it to firstname.lastname@example.org. If you believe you have been scammed, file a complaint at http://www.ftc.gov/, then visit the FTC's identity theft Web site at www.consumer.gov/idtheft to learn how to minimize your risk of damage from ID theft.
Phishing for your account number and PINs can be the first step in stealing your total identity. In 2001, there were approximately half a million identity theft victims who filed police reports. Credit card companies and banks picked up a tab for about $5 billion. The average victims spent $1,374 and 175 hours cleaning up their credit reports.
Here's a simple scenario: You write a check at the grocery store for 50 bucks. Your name, address and maybe your phone number appear on the check, which also displays the name and address of your bank and your account number. The clerk asks to see your driver's license, writes down that number (which in 19 states is also your Social Security number), notes your date of birth and asks for a work phone number.
Is there anything else a thief needs to take over your identity and begin a raid on your assets? Potentially hundreds of people will have access to this check before it clears your bank. Armed with just the little bit of information you gave voluntarily to pay for a few groceries, an enterprising thief can get a Visa card, get a cell phone, furnish his home, rent a car, apply for a mortgage or open accounts for Internet banking in your name.
Frank W. Abagnale is an expert on identity theft. He was a crook for years. Reformed now, he is the author of Catch Me If You Can, which details his criminal escapades. Here are his top 10 tips to avoid becoming a victim of identity theft.
- Guard your Social Security number. Never print your SS number on your checks. If your state allows, change your driver's license number to something other than your SS number. If it's needed to apply for a loan or to make any other transaction, ask that your number be removed or obliterated, or insist that the original is returned to you after the loan decision has been made.
- Monitor your credit report. The three credit reporting bureaus—Equifax, Experian and TransUnion—will provide copies of your credit report for a fee, but under the new Fair Credit Reporting Act you will be able to get a free copy every year. Identity theft victims will be able to order two copies in the year in which a theft occurs.
- Buy a shredder … and use it. Thieves may use your garbage to find information about you. Shred all old bank, brokerage and credit card statements as well as credit card offers that come in the mail. Cross-cut shredders are superior to regular ones.
- Remove your name from marketing lists. The three credit bureaus maintain lists that may contain your information. Contact them to remove you name.
- Watch what you carry in your wallet. Don't carry your SS card or extra credit cards or other important identity documents except when you need them. In the wrong hands, these documents can give easy access to your accounts.
- Keep duplicate records. Place the contents of your wallet on a photocopy machine. Copy both sides so you have duplicate information if your wallet or purse is stolen.
- Mail bill payments from a safe location. Do not pay bills from home. They can be stolen from your mailbox. Take them to the post office.
- Monitor your Social Security activity. Check your earnings and benefit statements every year to make sure no one is using your SS number fraudulently.
- Monitor your credit card activity. Carefully examine your statements for bogus charges and use the Internet to check charges against your accounts on a regular basis. If accounts show up on your credit reports that you don't use—old department store or affinity card accounts, for example—cancel them.
- Know who you're talking to. Never give your credit card numbers or personal information over the phone unless you have initiated the call and trust the business you're dealing with.
- Do not pay a bill that resulted from identity theft, even if creditors pressure you with collection actions. If necessary, seek legal advice.
- If you receive an e-mail phishing for information to update your account records—especially if you don't have an account with that company—forward the message to email@example.com. Someone is chumming for a phish.
When Willie "the Actor" Sutton was arrested in 1952, he was asked why he robbed banks. His famous reply: "Because that's where the money is." Today's "actors" are casting a wide net to catch the estimated 5 percent of us who will respond to a phony e-mail seeking personal information—because that's where the money is today.
Protect your identity. Don't become phish phood. It's your money.
Don Kuehn is a retired AFT senior national representative. This column is intended to increase knowledge and awareness of issues of importance to members and retirees. For specific advice relative to your personal situation, consult competent legal, tax or financial counsel. Comments and questions can be sent to firstname.lastname@example.org .